TCH Privacy Notice: Reviewed February 2026
Grip UK (trading as The Climbing Hangar) (“we”, “us”, “TCH”, “the Wall”) registered company number 07248432 is committed to protecting your privacy. At all times we aim to respect any personal information you share with us, or that we receive from others, and keep it safe. This Privacy Notice (“Notice”) sets out our data processing practices and your rights and options regarding the ways in which your personal information is used and collected (including through our website – http://theclimbinghangar.com).
This Notice is provided in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. Where EU data protection law applies in relation to particular processing activities, we will also comply with the EU General Data Protection Regulation (“EU GDPR”) where required.
This Notice contains important information about your personal rights to privacy. Please read it carefully to understand how we use your personal information.
The provision of your personal information to us is voluntary. However, without providing us with your personal information, your use of our services or your interaction with us may be impaired. For example, you may be unable to sign up as a member, or make an online booking.
We collect personal information about you:
a) When you give it to us directly
For example, personal information that you submit through our website by making a booking to use our facilities, registering as a member or signing up for our email newsletter; or personal information that you give to us when you communicate with us by email, phone or letter. For example, we use Rock Gym Pro to manage memberships, bookings and customer profiles.
b) When we obtain it indirectly
For example, your personal information may be shared with us by third parties including, for example, the Association of Climbing Walls (Britain) Limited (“ABC”), an organisation established to promote safe management practices in climbing walls of which we are a member; third party service providers; analytics providers and search information providers. To the extent we have not done so already, we will notify you when we receive personal information about you from them and tell you how and why we intend to use that personal information. Please note that incident reports are uploaded to the Association of British Climbing Walls (Britain) Limited (“ABC”) incident reporting system (https://report.abcwalls.co.uk/auth/login) as part of our safety management practices. ABC may process incident information for its own safety monitoring purposes as an independent organisation.
c) When it is available publicly
Your personal information may be available to us from external publicly available sources. For example, depending on your privacy settings for social media services, we may access information from those accounts or services (for example when you choose to interact with us via Facebook or Instagram.
d) When you visit our website
When you visit our website, we automatically collect the following types of personal information:
i) Technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.
ii) Information about your visit to the websites, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.
iii) We collect and use your personal information by using cookies on our website – please see our Cookie Policy. Non-essential cookies will be used only with your consent, in line with PECR.
iv) In general, we may combine your personal information from these different sources set out in a-d above, for the purposes set out in this Notice.
1. What personal information do we use?
We may collect, store and otherwise process the following kinds of personal information:
- your name and contact details including postal address, telephone number, email address, emergency contact details and, where applicable, social media identity;
- your date of birth and gender;
- your financial information, such as bank details and/ or credit/ debit card details,
- information about your computer/ mobile device and your visits to and use of this website, including, for example, your IP address and geographical location;
- personal descriptions and photographs;
- details of your qualifications/ experience;
- CCTV images
- Information relating to accidents or medical emergencies on the premises
- Medical information where you choose to tell us about a medical condition, and/or where a pre-existing medical condition is relevant to an incident, injury or medical emergency occurring on our premises.
and/ or any other personal information which we obtain as per paragraph 1.
2. Do we process special categories of data?
The UK General Data Protection Regulation (“UK GDPR”) recognises certain categories of personal information as sensitive (known as “special category data”) and therefore requiring more protection, for example information about your health, ethnicity and religious beliefs.
In certain situations, TCH may collect and/or use these special categories of data (for example, information on climbers’ medical conditions relevant to their use of our facilities). We will only process these special categories of data if there is a valid reason for doing so and where the UK GDPR allows us to do so. Where we process health information in connection with accidents or incidents, we do so only where necessary for health and safety purposes, and with appropriate safeguards.
3. How and why will we use your personal information?
Your personal information, however provided to us, will be used for the purposes specified in this Notice. In particular, we may use your personal information:
a) to register you as a member of TCH;
b) to allow you to make a booking to use our facilities;
c) to otherwise provide you with services, products or information you have requested;
d) to provide further information about our work, services or activities (where necessary, only where you have provided your consent to receive such information);
e) to assist you with certification schemes, such as NICAS Bouldering including where relevant sharing necessary information with awarding bodies and certification schemes you choose to participate in;
f) to answer your questions/ requests and communicate with you in general;
g) to allow you to apply for a job or volunteer role with us;
h) to manage relationships with our partners and service providers;
i) to analyse and improve our work, services, activities, products or information (including our website), or for our internal records;
j) to keep our facilities safe and secure, including by using CCTV in our centres for safety and security purposes; CCTV footage is normally retained for up to 30 days unless required for investigation.;
k) to run/administer the activities of TCH, including our website, and ensure that content is presented in the most effective manner for you and for your device;
l) to audit and/ or administer our accounts;
m) to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering);
n) for the prevention of fraud or misuse of services; and/or
o) for the establishment, defence and/ or enforcement of legal claims.
4. Lawful bases
The UK GDPR requires us to rely on one or more lawful bases to use your personal information.
a) Where you have provided your consent for us to use your personal information in a certain way (for example, we may ask for your consent to use your personal information to send you email newsletters, or to collect special categories of your personal information. Special categories of personal information are explained in paragraph 2 above).
b) Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services).
c) Where necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract (for example, to provide you access to our facilities in return for your booking fee).
d) Where it is in your/someone else’s vital interests (for example, in case of medical emergency suffered by a climber).
e) Where there is a legitimate interest in us doing so.
The UK GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights as an individual).
In broad terms, our “legitimate interests” means the interests of running of TCH as a commercial entity and ensuring the best possible user experience.
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and on your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).
We will use your personal information for marketing communications only where permitted under the Privacy and Electronic Communications Regulations (“PECR”) and applicable data protection law (see paragraph 5 below).
Lawful Basis and Processing Overview
Purpose | Personal Data Used | Lawful Basis (UK GDPR Art. 6) | Special Category Condition (Art. 9) | Shared With | Retention |
Membership registration and account management | Name, DOB, contact details, emergency contact | Contract – Art. 6(1)(b) | N/A | Rock Gym Pro | 6 years after last activity |
Booking and service delivery | Membership status, booking history | Contract – Art. 6(1)(b) | N/A | Rock Gym Pro | 6 years |
Payment processing | Transaction data (card handled by provider) | Contract – Art. 6(1)(b) | N/A | Stripe | Per provider policy |
Safety monitoring and incident response | Incident details, witness statements | Legal obligation – Art. 6(1)(c) and Legitimate interests – Art. 6(1)(f) | May apply if health data involved | ABC incident system | Minimum 3 years (or until age 21 for minors) |
Recording relevant medical info during incidents | Asthma or relevant condition if needed | Legal obligation + legitimate interests | Art. 9(2)(b) + (h), Schedule 1 DPA 2018 | ABC reporting | Long-term safety record retention |
CCTV monitoring for security | CCTV footage | Legitimate interests – Art. 6(1)(f) | N/A | Security/Police where required | 30 days |
Children’s memberships and safeguarding | Child details, parent consent, emergency contacts | Contract + Legal obligation | N/A | Rock Gym Pro | Until age 21 for relevant records |
Marketing communications | Email address, preferences | Consent OR soft opt-in under PECR | N/A | SendGrid (from Feb 13) | Until opt-out |
Handling enquiries and customer support | Email, message history | Legitimate interests – Art. 6(1)(f) | N/A | IT providers | 2 years typical |
Employment and HR administration | Recruitment info, payroll, training records | Contract + Legal obligation | Possibly health data for occupational records | Payroll/HR providers | As per statutory schedule |
Data subject rights requests (SARs, deletion) | Identity info, correspondence | Legal obligation – Art. 6(1)(c) | N/A | MSP support | 1 year after completion |
5. Communications for marketing/promotional purposes
We may use your contact details to provide you with information about our work, events, services and/or activities which we consider may be of interest to you (for example, about services you previously used, or events involving our, or other walls’, facilities).
Where we do this via email or SMS, we will only do so where permitted under PECR and applicable law, for example where you have provided your consent or where the “soft opt-in” applies for existing customers (and in all cases you can opt out at any time). Where we do this via telephone, we will comply with applicable rules including the Telephone Preference Service.
Where you have provided us with your consent previously but do not wish to be contacted by us about our work, events, services and/or activities in the future, please let us know by email at [email protected]. You can opt out of receiving emails at any time by clicking the “unsubscribe” link at the bottom of our emails.
We use systems including Salesforce (until 13 February) and then SendGrid to manage and deliver email communications.
6. Children’s personal information
When we process children’s personal information, we require the consent of a parent/ guardian for child memberships and we collect emergency contact details for safeguarding purposes. We may also record and report incidents involving minors in line with our safety management practices. We will always have in place appropriate safeguards to ensure that children’s personal information is handled with due care.
7. How long do we keep your personal information?
In general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we remove your personal information from our records six years after the last contact date. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see Section 11 below), we will remove it from our records at the relevant time.
Specific retention periods apply to some categories of information, for example:
a) CCTV footage: normally retained for up to 30 days
b) Incident reports: at least 3 years after the incident, or 3 years after the person turns 18 (i.e. typically until age 21 for minors). Incident records may also be retained longer as part of our safety management practices and because incident reports are uploaded to the ABC incident reporting system. ABC may process incident information for its own safety monitoring purposes as an independent organisation.
c) Employment records: retained in line with statutory retention periods (for example, personnel files and training records are retained for 6 years after employment ends; right to work documents for 2 years after employment ends; and other records as required by law).
d) Subject access requests: 1 year after completion.
e) If you request to receive no further contact from us, we may keep some basic information about you on our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.
8. Will we share your personal information?
We do not share, sell or rent your personal information to third parties for marketing purposes. However, in general we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Notice.
These parties may include (but are not limited to):
a) The ABC and the ABC Training Trust (ABC may process incident information for its own safety monitoring purposes as an independent organisation);
b) local government agencies;
c) funding bodes such as Sport England and NGB;
d) awarding bodies such as Mountain Training;
e) other members of the ABC including use of the ABC incident reporting system for incident reports;
f) healthcare professionals;
g) providers of kit and equipment;
h) suppliers and sub-contractors for the performance of any contract we enter into with them, for example IT service providers such as website hosts or cloud storage providers;
i) membership and booking system providers (including Rock Gym Pro);
j) payment service providers (including Stripe);
k) email and communications service providers (including Salesforce until 13 February and then SendGrid);
l) professional service providers such as accountants and lawyers;
m) parties assisting us with research to monitor the impact/effectiveness of our work, events, services and activities; and
n) regulatory authorities, such as tax authorities.
In particular, we reserve the right to disclose your personal information to third parties:
i) in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the (prospective) seller or buyer of such business or assets;
ii) if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
iii) if we are under any legal or regulatory duty to do so; and/or
iv) to protect the rights, property or safety of TCH, its personnel, users, visitors or others.
9. Security/storage of and access to your personal information
TCH is committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information.
Your personal information is only accessible by appropriately trained staff, volunteers and contractors, and stored on secure servers which have features to prevent unauthorised access. In addition, where necessary to fulfil data subject rights requests (such as access or deletion), we may use our IT managed service provider to assist us in locating, exporting or deleting personal data in our systems.
10. International Data Transfers
Given that we are a UK-based organisation, your personal information is generally processed in the UK. However, because we may sometimes use agencies and/or suppliers to process personal information on our behalf, it is possible that personal information we collect from you will be transferred to and stored in a location outside the UK. For example, some service providers (such as payment providers) may process data outside the UK.
Where your personal information is transferred outside the UK to a country that does not provide an equivalent standard of protection, we will take steps to ensure appropriate safeguards are in place. These safeguards may include the UK International Data Transfer Agreement (“IDTA”) and/or the UK Addendum to the EU Standard Contractual Clauses, as well as other safeguards permitted under UK data protection law.
Please note that some countries outside of the EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. Where your personal information is transferred, stored and/or otherwise processed outside the EEA in a country that does not offer an equivalent standard of protection to the EEA, we will take all reasonable steps necessary to ensure that the recipient implements appropriate safeguards (such as by entering into standard contractual clauses which have been approved by the European Commission) designed to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Notice. If you have any questions about the transfer of your personal information, please contact us using the details below.
Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure – however, once we have received your personal information, we will use strict procedures and security features to try and prevent unauthorised access.
11. Exercising your Rights
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing or fundraising purposes or to unsubscribe from our email list at any time. You also have the following rights:
a) Right of access – you can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply. We will respond within one month of receiving your request (subject to identity verification and any applicable exemptions), and we may extend this timeframe by up to two further months where requests are complex or numerous, as permitted by UK law.
b) Right of erasure – at your request we will delete your personal information from our records as far as we are required to do so. In many cases we would propose to suppress further communications with you, rather than delete it.
c) Right of rectification – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate/up to date.
d) Right to restrict processing – you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
e) Right to object – you have the right to object to processing where we are (i) processing your personal information on the basis of the legitimate interests basis (see paragraph 4), (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.
f) Right to data portability – to the extent required by the UK GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact, and in either case we are processing using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format
g) Rights related to automated decision-making – you have the right not to be subject to a decision based solely on automated processing of your personal information which produces legal or similarly significant effects on you, unless such a decision (i) is necessary to enter into/perform a contract between you and us/another organisation; (ii) is authorised by UK law; or (iii) is based on your explicit consent.
Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us using the details in paragraph 14 below. Requests are currently managed by our internal team and may be supported by our IT managed service provider to access or delete information in our systems.
We encourage you to raise any concerns or complaints you have about the way we use your personal information by contacting us using the details provided in paragraph 14 below. You are further entitled to make a complaint to the Information Commissioner’s Office – www.ico.org.uk. For further information on how to exercise this right, please contact us using the details below.
12. Children and Young People – Additional Privacy Information
The Climbing Hangar welcomes young climbers and takes children’s privacy extremely seriously.
a) Parent/Guardian Consent
Where a child registers for membership or activities, we require the consent of a parent or legal guardian. We do not knowingly allow children to register independently without appropriate authorisation.
b) Emergency Contact Information
For safeguarding purposes, we collect emergency contact details for children, stored within their Rock Gym Pro profile. This information is used only where necessary to protect the child’s welfare or respond to emergencies.
c) Incidents Involving Minors
If an accident or incident involves a child, we may record:
- what occurred
- staff response
- relevant contributing factors
- any necessary medical notes
These records may be shared with the Association of British Climbing Walls (ABC) for safety monitoring.
Retention:
- incident records involving minors are kept until the individual reaches at least age 21, in line with best practice and limitation periods.
d) Additional Safeguards
We apply enhanced protections when processing children’s data, including:
- restricted staff access
- minimisation of data collected
- secure storage in authorised systems only
- regular review of safeguarding practices
13. Changes to this Notice
We may update this Notice from time to time. We will notify you of significant changes by contacting you directly where reasonably possible for us to do so and by placing an update notice on our website. This Notice was last updated on 9th February 2026.
14. Links and third parties
We link our website directly to other sites. This Notice does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.
15. How to contact us
Please let us know if you have any questions or concerns about this Notice or about the way in which TCH processes your personal information by contacting us at the channels below. Please ask for / mark messages for the attention of Hannah Heywood, Information Protection Officer.
Email: [email protected]
(For marketing opt-out requests, you can also use the unsubscribe link in our emails.)
Telephone 0151 345 0587
Post: The Climbing Hangar, 39 Fleet Street Liverpool L1 4AR